February 2013 ~ Tech Support For Dummies

Thursday, 28 February 2013

Mobile app security assessments

Posted on 14:13 by Unknown

I wrote recently about performing source code analysis for mobile apps. I'm seeing some crazy stuff that I didn't think I'd see in mobile apps (but I'm not really surprised) related to session manipulation, hard-coded cryptographic keys and the like which underscores the importance of the exercise.

But there's another side to mobile app security assessments - it's simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren't uncovered in traditional user, functional, and QA testing. In recent application assessments, I've found things like:

login-related weaknesses
information mishandling
insecure interactions with external applications/systems
exploits in general functionality that put PII at risk

Odds are good that you or someone you know is rolling out a new mobile app. Or perhaps you were an early adopter and need to validate that your existing apps are reasonably secure. The question is: What are you doing to ensure things are in check?

Like I say about a lot of things related to information security...do it yourself, allow me to help, or hire someone else - just do something.

Posted in message from Kevin, mobile apps, mobile security, penetration testing, source code analysis | No comments

Thursday, 21 February 2013

Yet another reason to get more in tune w/mobile & the cloud

Posted on 10:36 by Unknown

Here's a good post from Elcomsoft's Vladimir Katalov that underscores the dangers of many things I've written and spoken about in recent years:

Cloud security - especially as it relates to mobile apps (and in the case of this piece, iCloud)
Mobile control - BYOD, MDM and all those buzzwords sound nice but what exactly are you doing to ensure the business information that's being carelessly handled by your employees is kept in check? What's going to happen when it's exposed via such backdoors?
Legal documents - you can have all the privacy laws, policies, and end user agreements in the world but, at the end of the day, they're basically worthless. If the imperial government wants something, especially control like I talked about here, they're going to get it.

It's time to wake up and take some action.

Posted in | No comments

Monday, 18 February 2013

Self-delusion + infosec= foolishness

Posted on 07:00 by Unknown

I thought this quote from Ronald Reagan was quite fitting for President's Day:

"If history teaches anything, it teaches that self-delusion in the face of unpleasant facts is folly."

Posted in careers, great quotes, information security quotes, security leadership, stupid security | No comments

Tuesday, 12 February 2013

Mobile app security testing - are you checking for all the flaws?

Posted on 13:54 by Unknown

I plan to write a related post soon on my mobile app security assessments. In the meantime, I wanted to share a tool with you that plays a key role in mobile app security: Checkmarx CxDeveloper (or perhaps more appropriately called CxSuite).

If you're a developer, QA professional, security manager, or IT generalist, this is a good tool to have for all of those gotta-have-now apps that everyone is throwing together getting in the app stores.

I've used CxDeveloper to find flaws in iOS and Android-based apps that may not be discovered via traditional testing such as:

Code injection
Session fixation
Path traversal
Weak passwords
Hard-coded cryptographic keys

...all things that I'm not smart enough to find on my own. Nor do I have the time.

For a few years now, I've dealt with the folks at Checkmarx and everyone from their CTO to their Director of Marketing - and a few others in between - has been super nice and responsive to my sometimes ridiculous requests.

Here's a guest blog post I've written for them:
Three compelling reasons to check your mobile app source code

And a webinar as well:
The Business Value of Partial Code Scanning

I also cover CxDeveloper in my Mobile Security chapter in the latest edition of my book Hacking For Dummies.

CxDeveloper isn't without its flaws. It's installation process and interface can be cumbersome but nothing that can't be overcome. It's certainly a worthy alternative to the big-box competitors...check it out if you want to find out the rest of the story with your mobile apps.

Posted in cool products, Kevin's security content, mobile apps, mobile security, security testing tools, source code, source code analysis, web application security, webcasts | No comments

Wednesday, 6 February 2013

Reactive security, eh? How’s that workin' for ya?

Posted on 12:10 by Unknown

Every time I browse the Chronology of Data Breaches and read the headlines coming out from Dark Reading, threatpost, and the like, I can't help but shake my head.

What is it really going to take to get people - mostly management, but some in IT - to fix the stupid, silly, low-hanging fruit that's plaguing so many networks today...? Well, here's a new piece I wrote for the nice folks at Lumension where I delve into this subject a little more.

As Thomas Jefferson said, Determine never to be idle. It is wonderful how much may be done if we are always doing. Our security problems can be fixed if we choose to fix them.

Posted in back to basics, great quotes, information security quotes, Kevin's security content, low-hanging fruit, stupid security, thinking long term | No comments

Tech Support For Dummies